A request including a user identifier is received from a third party to authenticate an access attempt by a person. The input of the user identifier is not accompanied by a password. A listing of associated mobile devices is transmitted to the third party. The person selects a mobile device to which an authentication notification should be sent. The notification is pushed to the mobile device. A user of the device views the notification and verifies whether the access should be allowed or denied. If access should be allowed, a first one-time password (OTP) is generated and transmitted to an authentication server. The server generates a second OTP. If the second OTP matches the first OTP, the server notifies the third party that access should be permitted. If the second OTP does not match the first OTP, the server notifies the third party that access should be blocked.